From owner-freebsd-stable Wed Jan 15 17: 3:46 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C27837B401 for ; Wed, 15 Jan 2003 17:03:44 -0800 (PST) Received: from mail.adelphia.net (pa-plum1b-166.pit.adelphia.net [24.53.161.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15B5F43F13 for ; Wed, 15 Jan 2003 17:03:38 -0800 (PST) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com ([172.16.0.95]) by mail.adelphia.net (8.12.3/8.12.3) with ESMTP id h0G14kAg006408; Wed, 15 Jan 2003 20:04:46 -0500 (EST) (envelope-from wmoran@potentialtech.com) Message-ID: <3E25F928.9040500@potentialtech.com> Date: Wed, 15 Jan 2003 19:13:28 -0500 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: lewwid@telusplanet.net Cc: FreeBSD-stable@freebsd.org Subject: Re: Freebsd 4.7.2 DHCP Spamming References: <2W5ZNJANISMB91VMJPMIG4XD83XPN71.3e25f76b@Jeff> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG lewwid wrote: > Has anyone heard of an issue where a freebsd box can rack up multiple ips over the course > of ~2 days? There should only be 1 ip address allocated to my box. > > For some reason on Dec 2nd, Dec 30th, and Jan 14th my box decided to keep requesting IPs, thus > racking up ~100 before they shut me off each time. Why would they keep permitting ip requests > above the 2 allowed ips? If they try to bully you, you need to stand up to them and point out how easy their system is to compromise, and explain that your computer having problems is no excuse for their servers not acting sanely. > I'm running a GENERIC kernel, all source updated and installed from cvsup3.freebsd.org. Only ssh > listening. > > They say that, either I'm doing it on purpose, I'm exploited, or there's a problem with the dhclient. > > I was monitoring the box using tcpdump + dhcpdump to watch the requests. Unfortunately I rebooted after about > 5 days (Jan 7th ish). I thought the problem was resolved. I asked them for logs but they can't provide any. Yes, but you have logs. What do you see in /var/log/messages around the time the problem occurred? dhclient will log its activity, such as renewing leases, or inability to renew a lease that results in a new lease. > Could they changed something near the end of November, or the start of December as this problem has > not happened *ever* in 6 years before this. Did you change anything? If not, then you either got compromised, your hardware is failing, or they changed something. > *** Somehow I'm supposed to solve this problem without logs. Hopefully someone has run into this > problem in the past and knows a solution. It's to never happen again or > they will cancel my account. And yet they can't prove that they problem isn't their own fault? Sounds like your ISP is an asshole. What company is it? > The only thing I could related to this is an acknowledgement from Vancouver's Shaw guys > that there is a problem. > > http://www.dslreports.com/comment/1704/19357 > > Dropping DHCP leases > Actually about the dropping DHCP leases, which some of our customers are seeing. We're still in the process of looking over the reason for their occurence. For the majority of our customers, this never seems to be a problem but for a certain select > minority it seems that the lease can get dropped for various reasons. The most prominent reason we could come up with was that it was some sort of software or hardware configuration issue with the customers computer, (either firewall blocking dhcp > requests/acknowledgements or network cards that are not acting properly when handling the dhcp packets). We're still in the process of investigating the problem and a possible fix, but we do need help. Anyone running Linux, we could really use logs on > the authentication process that a computer goes through when getting the dhcp lease. If anyone fits this category, send some mail to Are your running ipfw or ipf? I think you can block DHCP in such a way that it can't renew leases, but can successfully request new ones. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message